What we do with your information

When you submit the eligibility form we ask for, and keep, exactly these fields:

• First name — to address you in the reply.
• Email address — so we can send the assessment back.
• Your family story (free-text) — names, places, approximate dates of the Italian-born ancestor.

Alongside the submission, we also store technical context to detect spam and understand which channels bring real people:

• Marketing attribution — UTM parameters and Google Ads click ID (gclid), if present.
• Referrer — the page that linked you here, if your browser sends it.
• Browser user-agent — the standard string browsers report (no fingerprinting beyond that).
• Hashed IP — a one-way SHA-256 hash truncated to 16 characters; we cannot recover the original address. Used only to flag suspicious patterns.

We do not ask for, and do not store, payment information or government documents at this stage.

Submissions are stored in a Postgres database hosted by Supabase in the European Union (Frankfurt region). Connections are encrypted in transit (TLS) and the database is encrypted at rest by the provider. Direct read or write access from the public internet is blocked at the row level; only our server can insert new rows, using a private service-role key that is never exposed to your browser.

• To read your case and email you a written assessment.
• To improve our copy and pages (which keywords brought you here, did the page load).
• To detect spam and automated submissions.

We do not sell your data, and we do not use it for ad retargeting.

We use a small number of third-party services to operate Patria. Each only sees the data it needs:

• Render — hosts the website; sees server logs (IP, user-agent) for security and operations.
• Supabase — stores submissions (as above).
• Resend — sends the assessment email back to you (sees recipient address and message body) only if you submitted the form.
• Google Analytics 4 & Google Ads — see anonymized page-view and click data to measure traffic and campaign performance (see "Cookies & analytics" below).

None of these services have permission to use Patria's data for their own marketing.

We use Google Analytics 4 and Google Ads tagging to understand which marketing channels bring real visitors. These services set first-party cookies (typical names like _ga, _gid, _gcl_au) and collect:

• Page views and scroll behavior
• Approximate geographic region (country/city level, from IP)
• Device type and browser
• How you arrived (referrer, ad click)

You can opt out via your browser's privacy controls, a tracking blocker, or the official Google Analytics opt-out add-on.

Submissions are kept until you ask us to delete them, or for up to 24 months after our last reply — whichever comes first. After that, the row is removed from the production database. Backups age out within 30 days.

If you are in the EU, EEA, or UK, the GDPR gives you the right to:

• Access the data we hold about you.
• Correct anything that is wrong.
• Have it deleted.
• Receive a copy in a portable format.
• Restrict or object to certain processing.
• Lodge a complaint with your national data-protection authority.

Residents of California (CCPA/CPRA) and similar US-state regimes have parallel rights: to know, delete, correct, and opt out of any "sale" or "sharing" — though, as noted, we do neither.

To exercise any of these rights, email us (see below) or simply reply to any Patria message you have received. We respond within 30 days and will not ask for anything beyond what is needed to verify your request.

For privacy questions, deletion requests, or anything else about your data:
hello@patria.us

Patria is a U.S.-based service in pilot phase. This policy will be updated as the service grows; the "as of" date at the top reflects the current version.